Hi Piotr I am not referring to directly connected BGP peers.
I have two routers (R1 and R3) establishing a BGP connection with a router in between. For a successful BGP peering either we need to configure "neighbor X.X.X.X ttl-security hops 2" or "neighbor X.X.X.X ebgp-multihop 2". Hence 2 hops is required. R1 ---------- R2 ------------- R3 As a general statement, the TTL is decremented after the routing process when the packets comes to the Exit interface. Actually speaking, it is only "1" hop between R1 and R3 right? It is "2" hops, only if the packets from R1 transits R3. Now with BGP, the packets goes to RP directly and doesn't transits but the IOS expects 2 hops for ebgp-multihop or ttl-security. So my question is when the TTL decremented for the BGP packets? With regards Kings On Wed, May 11, 2011 at 1:00 PM, Piotr Matusiak <[email protected]> wrote: > Kings, > > I'm not sure if I get you right. Do you want to have ttl-security = 1 and > configure eBGP peers on loopbacks? > > You can configure it this way but it simply does not work because there are > "two" checks that all eBGP sessions have: > -- TTL is set to "1" on both sides > AND > -- the "peer" must be directly connected > > When loopbacks are used, it is the second test that fails since the > loopback address of the peer is not part within a "C" (Connected) subnet. > There is ONLY "1" TTL decrement done on the packet.... NOT 2. > > The way people always got around this in the past was to use "ebgp-multihop > 2" -- which "disables" the connected check. This opens a (small) security > hole, so Cisco added the "disable-connected-check" command which permits > eBGP between loopbacks + the default TTL=1 setting... and closes the > diameter of attacks. > > > Try this: > > router bgp 1 > > nei 2.2.2.2 remote 2 > > nei 2.2.2.2 up lo0 > > nei 2.2.2.2 disable-conn > > > Regards, > > Piotr > > > > > > 2011/5/11 Kingsley Charles <[email protected]> > >> Hi Piotr/all >> >> Waiting for you inputs :-) >> >> With regards >> KIngs >> >> >> On Tue, May 10, 2011 at 4:58 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> Hi Piotr >>> >>> I labbed it out many times and observed the following: >>> >>> With the above given case which has one router in between, "neighbor >>> X.X.X.X ttl-security hops 2" is required or "neighbor X.X.X.X >>> ebgp-multihop 2" >>> >>> With the same setup, if I use loopback interfaces as source address, it >>> requires "neighbor X.X.X.X ttl-security hops 2" is required or "neighbor >>> X.X.X.X ebgp-multihop 2". Even when we use loopback interface, the hops is >>> same as the loopback is still on the same router. Hence hops 2 is also >>> required here. >>> >>> Earlier my understanding was that the TTL is decremented after routing >>> process when the packets lands the "Forwarding Interface". If the TTL is >>> "0", the ICMP time exceeded is sent back where the ingress interface's IP >>> address is used as the source address for the ICMP packet. >>> >>> Said with this, BGP seems to be specially handled by IOS where it >>> decrements TTL though it is going to control plane and not to any forwarding >>> Interface. >>> >>> >>> >>> >>> With regards >>> Kings >>> >>> >>> On Tue, May 10, 2011 at 4:40 PM, Piotr Matusiak <[email protected]> wrote: >>> >>>> Hi Kings, >>>> >>>> The TTL is decreased by 1 on every routed hop. If it is decreased on >>>> inside interface that would mean the R3 sees 253. I think the R3 will see >>>> 254 - assuming you're not using loopbacks. >>>> >>>> Regards, >>>> Piotr >>>> >>>> 2011/5/10 Kingsley Charles <[email protected]> >>>> >>>>> Hi all >>>>> >>>>> When a router receives a packet, will the TTL be decremented on the >>>>> ingress interface or egress interfaces while exiting? I am raising this >>>>> question due to the following case. >>>>> >>>>> >>>>> R1 ---------- R2 ------------- R3 >>>>> >>>>> >>>>> >>>>> R1 and R3 are EBGP peers and we should configure hops as "2" with BGP >>>>> ttl security as following: >>>>> >>>>> neighbor X.X.X.X ttl-security hops 2 >>>>> >>>>> Here R2 is the only router in between which reduces the TTL. If hops >>>>> is "2", the received TTL should be either 253 or above. Hence, it means >>>>> the >>>>> TTL is decremented on the ingress interface right? >>>>> >>>>> With regards >>>>> Kings >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com >>>>> >>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
